The biggest threat to the growth of WordPress: perceived security

Whenever I talk to web developers outside the inner circle of the WordPress community, it is bound to come up: WordPress security. It is the most important reason why a certain group of people does not want a WordPress site. They think, they’ve read, they’ve heard that WordPress sites are not secure and that they have a bigger chance of getting hacked. They don’t trust WordPress. This perceived lack of security is what I perceive as one of the biggest threats to the growth of WordPress.

Just because people are scared of something does not mean they’re right. In the Netherlands, where I live, crime rates have been going down for a decade now. At the same time, people experience more anxiety and fear of crime than ever before. Their perceived idea of high crime rates is induced by (social) media.  People’s perception of WordPress security is very flawed as well. WordPress is not insecure or unsafe to use. It is very sad (and a waste of resources) that people use a proprietary CMS because their perception of WordPress is off. 

Why do people think that WordPress is less safe? I see two main reasons for that. The first reason is that WordPress is far bigger than most people know. Half of all websites are built on it. Statistically, it makes sense that more WordPress sites than sites built with a certain type of proprietary CMS get hacked— just because of the large numbers.

The second reason is the media. Let’s face it: fear sells. Blogs like Search Engine Journal just love to publish stories about plugins with security bugs and patches. And they should do so when those security issues are real because it’ll urge people to update. That’s awesome! 

However, the way these security bugs are described often makes it sound much worse than it actually is. In many cases, you’ll have to already have an account with access to the wp-admin section of a website to even be able to exploit the issue. Although in the article, these security threats are described as medium or even low, the title of the article will be ‘WordPress plugin vulnerability affects up to 2 million sites’. As if 2 million sites would have people with access to their admin that they do not trust…

Maybe we should also look at the reason behind these stories. Quite a few of them result from some security companies in our space wanting to “sell” their product based on the fear of getting hacked. Their “agenda,” in this case, is actually negative marketing for WordPress. They need a big headline, as otherwise, the news doesn’t get published, so they exaggerate the impact. As a community, we should discourage this type of behavior from those companies.

A quick analysis of the subject of the articles on Search Engine Journal within the category WordPress published in 2024 also shows us that WordPress vulnerabilities are a hot topic. A total number of 19 articles concerning vulnerabilities appeared and only 8 articles were found that are about WordPress and not about security. 

Articles like that actually make developers not want to talk about security issues or put security changes in their changelogs. I understand that from those developers, but it’s not good for any of us. Fixing a small issue that nobody was ever going to exploit should not lead to an article that makes people feel unsafe. It’s simply not that interesting. We have much more exciting things for journalists in our space to write about.

Let me be clear: this is not to blame Search Engine Journal. Roger Montti, who writes most of these for them, is actually a very nice guy :-). But we need to also tell him other stories. We need to have some balance. I hope the new WordPress Media Corps can help to take care of that, by feeding much nicer stories about other WordPress topics to outlets like this.

This article, The biggest threat to the growth of WordPress: perceived security, was published at Post Status — the community for WordPress professionals.

Leave a Reply

Your email address will not be published. Required fields are marked *

Leave a comment

Your email address will not be published. Required fields are marked *